Spectre and Meltdown Vulnerabilities (CVE-2016-5715, CVE-2017-5753, CVE-2017-5754)

Spectracom products are only susceptible if an attacker can successfully authenticate with the product and gain command line shell access. Malware is required to be run locally within the system to exploit these vulnerabilities. Spectracom recommends following good security practices, including applying software updates containing the latest security patches as they become available, and applying policies and settings that protect and limit access to authorized and trusted users. We are working to update our operating systems and software as they become available to resolve these potential vulnerabilities within the affected products. We will update this bulletin as new information becomes available.
January 5, 2018
Severity: 
Affected Products: 
NetClock
SecureSync
VelaSync
VersaSync

Two vulnerabilities, Spectre (CVE-2017-5715, CVE-2017-5753) and Meltdown (CVE-2017-5754), were published on Jan 3, 2018 affecting products utilizing Intel, AMD, and Arm microprocessors. These vulnerabilities can potentially allow reading of sensitive data within a system from an authenticated user that would normally not have permissions to access that data. These vulnerabilities do not allow for modification of any of this sensitive data.

Spectracom products are only susceptible if an attacker can successfully authenticate with the product and gain command line shell access. Malware is required to be run locally within the system to exploit these vulnerabilities. Spectracom recommends following good security practices, including applying software updates containing the latest security patches, and applying policies and settings that protect and limit access to authorized and trusted users.

Spectracom is committed to investing in the security and reliability of our products. We are working to update our operating systems and software as they become available to resolve these potential vulnerabilities within the affected products. We will update this bulletin as new information becomes available.

Products Affected:

  • SecureSync (Spectre only) - Resolved in SW version 5.8.0
  • NetClock (Spectre only) - Resolved in SW version 5.8.0
  • VersaSync (Spectre only)
  • VelaSync - Contact us for more information

Description of the Vulnerability

The underlying vulnerabilities of modern microprocessors presented by Spectre and Meltdown have been present for many years. These vulnerabilities can potentially allow reading of sensitive data within a system from an authenticated user that would normally not have permissions to access that data. These vulnerabilities do not allow for modification of any of this sensitive data, however.

Risk Analysis and Recommendation

Spectracom products utilize a variety of authentication mechanisms to mitigate unauthorized users from gaining access to the products. Spectracom recommends keeping your products up to date incorporating the latest in security patches as they become available, disabling less secure protocols, utilizing access control lists to limit connectivity, and using user authentication best practices on all accounts. These best practices include ensuring default passwords are changed, and configuring password rules/aging on the device. Additional centralized authentication mechanisms, such as LDAP and/or RADIUS can be utilized as well.